The Definitive Cyber Security Statistics Guide for 2020

Cyber attacks continue to grow in both numbers and ferocity — 2019 was just a sign of the things to come. Here’s your list of 122 of the most current cybersecurity industry, cyber attack, and data breach statistics for 2020 and beyond

Last year, we published our first comprehensive list of cyber security statistics for our readers on Hashed Out. The article was such a hit that we wanted to make this an annual project that we publish with updated cybersecurity stats each year. This way, you know right away where you can turn for all of your cyber security data needs.

This year, we wanted to up the ante and increased the number of cybersecurity statistics we report from 80 to 122. Since we’re using the most current information available — most of the data comes from 2019 and 2020 reports, studies, and news reports — it’s been a pretty massive undertaking. But we’re excited to share with you as much current and useful information as possible from many of the world’s leading sources and industry leaders.

So, what numbers and sources made our list of the 122 top cyber security statistics for 2020 (and the years to come)?

Let’s hash it out.

What we’re hashing out…

  1. Cyber attacks continue to grow in both numbers and ferocity — 2019 was just a sign of the things to come. Here’s your list of 122 of the most current cybersecurity industry, cyber attack, and data breach statistics for 2020 and beyond
    1. Cyber Security Statistics: Our Choice of the Top 122 Statistics for the Year 2020 (So Far)
      1. Cyber Security Statistics: An Overall Industry Perspective and the Economic Outlook
        1. Cyber Security Statistics: What Organizations Are Investing in Cyber Security
          1. Cyber Security Statistics: Where the Industry Stands in Terms of Employment
            1. Cyber Security Statistics: Top Cyber Attack and Data Breach Statistics and Trends
              1. Cyber Security Statistics: A By-the-Numbers Look at Victims and Compromised Records Data
                1. Cyber Security Statistics: The Costs of the Top Cyber Attacks and Data Breaches in 2020 (So Far)
                  1. Cyber Security Statistics: The Costs of BEC Scams, Cyber Attacks, and Data Breaches in 2019
                    1. Cyber Security Statistics: A Look at the Types of Threats That Can Impact Your Business
                      1. Employee Complacency or Collaboration Issues
                        1. Poor Asset Visibility and Management
                          1. Defense Evasion Behaviors
                            1. Domain Impersonation/Spoofing
                              1. Lack of Visibility and Enforced Processes
                                1. HTTPS and Website Phishing
                                  1. Insider Threats (Intentional or Negligence)
                                    1. IoT Security
                                      1. Malicious ReCaptcha
                                        1. Password Security
                                          1. Phishing
                                            1. Ransomware
                                              1. Web Applications
                                                1. Cyber Security Statistics: A Breakdown of Cyber Attack Statistics by Industry
                                                  1. Cyber security Statistics: IT and Data Privacy Compliance and Risk Management Statistics
                                                    1. Cyber Security Statistics: Cybersecurity Statistics By Location
                                                      1. North America
                                                        1. South America
                                                          1. Mexico and Central America
                                                            1. Middle East
                                                              1. Europe
                                                            2. Wrapping Up the 2020 List of Cyber Security Statistics

                                                              Cyber Security Statistics: Our Choice of the Top 122 Statistics for the Year 2020 (So Far)

                                                              Before we get started, there’s one quick thing I’d like to mention. Something that’s always important to consider when you’re looking at any list of cybersecurity statistics is that:

                                                              1. The data is going to vary by source, and
                                                              2. Not all cyber incidents and cybercrimes are reported.

                                                              Various organizations use different qualifiers and methodologies in their reporting in terms of what may qualify as a cyber incident or data breach. Furthermore, the research is typically based on their own internal systems data, customers monitoring data, or information reported by victims of cybercrimes or survey responses from people within specific industries. And considering it can take weeks, months, or even years for some breaches or cyber attacks to be discovered — if they’re discovered at all — it means that the actual numbers may actually be higher (or lower) than what’s reported.

                                                              These are just some of the reasons why you’ll often see different information from one company to the next. With these things in mind, here are your top cyber security statistics for 2020:

                                                              Cyber Security Statistics: An Overall Industry Perspective and the Economic Outlook

                                                              1. Business Email Compromise / Email Account Compromise Scam Costs Top $26 Billion

                                                              cyber security statistics graphic representing BEC / EAC scams

                                                              Holy crap. That’s a horrifying number! But before we rush on to the next statistic, let’s look at this disturbing cyber security stat a little more closely to get some context.

                                                              While it’s true that the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center’s (IC3) did report that $26.2 billion dollars was the reported domestic and international losses reported between June 2016 and July 2019, we need to stop a moment and take a breath.

                                                              Don’t get me wrong — that number is still more disturbing than the scenarios told in children’s nursery rhymes. But it’s important to note that this isn’t an annual cost of $26 billion, but rather an accumulated cost that’s calculated over a three-year period based on data from the IC3 and international law enforcement. We just want to make sure that you have that bit of context.

                                                              So, what was the one-year calculation of adjusted losses due to BEC/EAC complaints? More than $1.7 billion due to 23,775 complaints, the IC3 states in its 2019 Internet Crime Report.

                                                              2. More Than $3.5 Billion Was Lost to Cyber Crime Globally in 2019

                                                              Alright, let’s take a one-year look at global cybercrime costs. Research from the same FBI IC3 2019 Internet Crime Report indicates that more than $3.5 billion was reported lost as the result of cyber crimes in 2019 alone. In that period, the IC3 report states that a total of 467,351 incidents were reported by businesses and individuals — of which, the most common types of crime with the highest reported losses include:

                                                              • BEC/EAC scams (more than $1.7 billion)
                                                              • Confidence/romance fraud (more than $475 million), and
                                                              • Spoofing (more than $300 million).

                                                              It’s important to note that these cyber security statistics only include the number of reported attacks and losses. This means that these cyber security stats don’t include the attacks and losses that resulted in unreported attacks. And considering that confidence/romance fraud scams often go unreported by victims, this means that the numbers are thought to be grossly underreported.

                                                              3. Apple, Netflix, and Yahoo Account for 25% of Brand Impersonations in Phishing Attacks in Q1 2020

                                                              Apple is one of the reigning consumer brands because of the popularity of its iPhones, Apple Watches, flashy marketing, and other useful consumer technologies. But Apple is also the brand that was most frequently impersonated overall by cybercriminals during the first quarter of this year, according to research from Check Point. It jumped from its previous seventh place rank in Q4 2019 to first place with 10% of all brand phishing attempts. Netflix is a close second, claiming 9% of all phishing attempts, and Yahoo comes in third with another 6%.  

                                                              4. 57% of Survey Respondents Used Third-Party Cyber Security Assessments in 2019

                                                              Cyber security assessments are a critical component of making your cyber defenses stronger and more effective. More than half of the 1,100 respondents to Experian’s Seventh Annual Data Breach Preparedness Study indicate that they regularly conducted “third-party cyber security assessments” in 2019. While this may seem low, just keep in mind that this number has increased by about 9% over the past two years, according to their data.

                                                              5. 73% of Survey Respondents Check Access and Physical Security

                                                              Cyber security statistics graphic representing physical security

                                                              This brings us to number five on our list of cyber security statistics. While it’s true that it’s vital for organizations to focus on their digital security measures, that’s not to say that they can ignore or forget about physical security. In that same Experian breach preparedness study, another nearly three-quarters of the respondents indicated that they regularly review “physical security and access to confidential information.”

                                                              While it’s a relief that the majority of respondents indicate that they are looking into and monitoring these things, ideally, this number should be 100%. That’s because everyone should be making an effort to regularly review physical security and access within their organization to ensure that their data and systems don’t become compromised.

                                                              6. IoT Platform Revenue Forecast to Reach $66 Billion in 2020

                                                              Let’s switch gears a little bit. Revenue growth for IoT platforms will grow 20% this year, Juniper Research forecasts in its report IoT ~ The Internet of Transformation 2020. Interestingly, the research company anticipates that the COVID-19 pandemic will play a role in increasing the IoT adoption in healthcare.

                                                              7. Online Payment Fraud to Cost Ecommerce At Least $25 Billion Annually by 2024

                                                              Ouch… This is a particularly painful cybersecurity statistic if it holds true. The outlook for ecommerce merchant losses to online payment fraud isn’t a positive one, according to another Juniper Research report, Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2020-2024. They expect those losses to exceed $25 billion with a growth rate of 52% over the next four years.

                                                              8. 73% of “Leading” Organizations View Strong Cybersecurity as a Contributor to Business Success

                                                              73% of “leading” organizations that were surveyed by AT&T strongly agree with the idea that their organization’s security posture is something that makes their overall business success much more likely. But what is a “leading” organization? AT&T defines that term in their 2020 benchmark report The Relationship Between Security Maturity and Business Enablement as those organization who “weave strong cybersecurity into the business, IT, and organizational culture” and tend to be further along in the NIST Cyber Security Framework than “following” or “emerging” organizations. They’re also those organizations whose survey scores placed them in the top 20% of survey respondents.

                                                              9. “Leading” Organizations Are 4.3X More Effective at Prioritizing Cybersecurity Incidents

                                                              Having the ability to prioritize cybersecurity threats and vulnerabilities based on their business impact is a necessary skill for every organization… That is, if they want to stay in business and all. AT&T’s security maturity and business enablement survey shows that “leading” organizations are more than four times more likely to identify themselves as being “very effective” at doing so.

                                                              Cyber Security Statistics: What Organizations Are Investing in Cyber Security

                                                              Cybersecurity is a critical area for organizations and businesses to invest in. In addition to your “human firewall,” your cybersecurity systems and infrastructure are what’s going to hold the line (or the door, for my fellow Game of Thrones fans) between your organization’s sensitive data and the cybercriminals who want it.

                                                              So, how much does this line of defense mean to many organizations? Let’s see what kind of numbers governments, organizations, and businesses are willing to dedicate to strengthening their cyber defenses — and what kind of cost savings these efforts can provide — in our next section of cybersecurity statistics:

                                                              10. Global IT Spending Forecast to Total $3.9 Trillion in 2020

                                                              Gartner’s most recent research estimates that worldwide IT spending will increase 3.4% in 2019 to nearly $4 trillion by the end of this year. So, which industry are they expecting to see the largest growth? The report indicates that software will experience a staggering estimated growth rate of 10.5%.

                                                              Of course, how the impact of the Coronavirus (COVID-19) plays a role in how any spending-related estimates actually play out as the year progresses is anyone’s guess. Only time will tell.

                                                              11. U.S. President’s Budget Includes $18.8 Billion in Cyber Security Funding for FY 2021

                                                              According to the proposed Budget of the U.S. Government Fiscal Year 2021, the Trump administration plans to dedicate nearly $18.8 billion to spending on federal cybersecurity programs and initiatives. The budget document outlines more than $1.1 billion for the U.S. Department of Homeland Security’s (DHS) cybersecurity efforts.

                                                              Much like last year, of course, the Analytical Perspectives document for the FY 2021 budget stipulates that it doesn’t include all cyber-related information. Why? “Due to the sensitive nature of some activities, this amount does not represent the entire cyber budget.” Basically, it boils down to the standard statement about protecting national security.

                                                              12. Information Security Spending Forecast for 2023 Surpasses $151 Billion

                                                              Data from the International Data Corporation’s (IDC) Worldwide Semiannual Security Spending Guide indicates that global spending on security products and services is expected to increase to $151.2 billion by 2023. This is based on an estimated compound annual growth rate (CAGR) of 9.4% over that period. This is up from their estimated spending of $106.6 billion in 2019.

                                                              The report indicates that the banking industry, discrete manufacturing industry, and federal/central government are forecast to be the biggest spenders globally in terms of security tools and solutions over this forecast period.

                                                              13. The Deception Technology Market is Forecast to Reach $2.48 Billion by 2025

                                                              Research from Mordor Intelligence forecasts a 13.3% CAGR for the deception technology industry within the next five years. Deception technology, which is used to detect and prevent advanced persistent threats (APTs), often integrates artificial intelligence (AI) and machine learning (ML) to make them more dynamic.

                                                              It’s something that, historically, the National Institutes of Standards and Technology (NIST) has stayed away from. But last year, they began recommending the use of deception techniques and technologies in NIST Special Publication 800-160 v2 and their draft of NIST SP 800-171B.

                                                              (Author note: I know it’s a little off topic, but can we Lord of the Rings fans just take a moment to appreciate this research company’s name?)

                                                              14. COVID-19 Forecast to Slow Average Growth Rate of Cybersecurity Market to 6.2% Per Year

                                                              cyber security statistics graphic representing slow market growth

                                                              Although the cybersecurity market is still expected to grow, it’s now forecast to do so at a slower rate. The Global Cyber Security Market Analysis by is saying the market will likely grow 6.2% per year to 2023 due to the economic impact of the Coronavirus pandemic. Yeah, this virus really is messing with everyone’s plans.

                                                              15. Cybersecurity Prevention Efforts Can Save Businesses Up to $1.4 Million Per Attack

                                                              Here’s some really great news from the Ponemon Institute and Deep Instinct: Cyber attack prevention initiatives can have a significant payoff for organizations. Their study indicates that you could save up to 82% of the costs associated with the cybersecurity lifecycle (prevention, detection, containment, recovery, and remediation). So, if you’re able to prevent a cyber attack that would have cost your business a cool $1 million, that would be a savings of $820,000 ($1,000,000-180,000 in prevention costs = $820,000 in savings).

                                                              So, what’s the downside? Keep reading.

                                                              16. 76% of Security Pros Focus on Detection and Containment Instead of Prevention

                                                              So, even though research from Ponemon Institute and Deep Instinct shows that prevention can save you lots of moolah, only 24% of cybersecurity pros they surveyed actually focus on prevention. Why? Because they perceive containment to be more “accountable” than prevention. So, as a result, the majority of cybersecurity budgets go towards activities within the other four steps of the cybersecurity lifecycle.

                                                              17. 93% of Organizations Have or Plan to Get API Gateway Protection

                                                              Application programming interface (API) cybersecurity is a growing area of interest for nine in 10 surveyed users, according to CyberEdge Group’s 2020 Cyberthreat Defense (CDR) Report. 63.1% of respondents indicate that they already use API gateway/protection, and another nearly 30% indicate that they plan to get it within the next 12 months.  

                                                              18. 60% of IT Professionals Believe Cybersecurity Budgets Are Lacking

                                                              Perceptions about cybersecurity budgets sure do vary across organizations. Current data from ISACA’s State of Cybersecurity 2020 global report indicates that 41% of respondents think their organization’s budget is “somewhat underfunded” and another 19% indicate that it’s “significantly underfunded.” Another 34% said they think it’s “appropriately funded” and 3% believe the budget to be “somewhat overfunded.”

                                                              This is one of those cyber security statistics that we hope our readers really take to heart… Don’t be stingy — dedicate your budget where it needs to go. We know that there are other budgetary concerns, but if your business takes a major hit from a data breach or cyber attack, your reputation (and your organization as a whole) may not be able to withstand the consequences. So, don’t wait until after crap goes wrong to make the right budgetary decision.

                                                              19. 69% of Experts Say Cybersecurity Cost Increases are Unsustainable

                                                              60% of the respondents to Accenture’s Third Annual State of Cyber Resilience survey report indicate that they’ve increased their investments in cybersecurity technologies such as network security, threat detection, and security monitoring over the past two years. However, nearly seven in 10 respondents indicate that the cost of these investments to stay ahead of cyber threats is unsustainable in the long term.

                                                              Cyber Security Statistics: Where the Industry Stands in Terms of Employment

                                                              Hiring and employment are important areas of consideration for virtually every industry, and cybersecurity and IT are no different. With this in mind, here are a few of the top employment and hiring-related cyber security statistics you should see:

                                                              20. 82% of CISOS Report Feeling “Burned Out” as Professionals

                                                              Symantec (now Broadcom), in collaboration with cybersec researcher Dr. Chris Brauer and Goldsmiths, University of London, says that data from their survey of more than 3,000 security decisionmakers in the United Kingdom, Germany, and France indicates that four in five CISOs are feeling significantly overwhelmed. Furthermore, 65% of respondents indicate that they feel like they’re being set up for failure, and 64% indicate that they’re contemplating leaving their jobs.

                                                              21. 62% of Organizations’ Cybersecurity Teams are Understaffed, 57% Have Unfilled Positions

                                                              cybersecurity statistics graphic representing unfilled positions

                                                              Global research from ISACA shows that when it comes to cybersecurity staffing and retention, many organizations are leaving too many seats at the table vacant. The ISACA’s State of Cybersecurity 2020 report shows that 62% of respondents indicate that their organization’s cybersecurity team is either somewhat or significantly understaffed, and 57% say that some cybersecurity positions within their teams remain unfilled.

                                                              22. 72% of IT Professionals Believe Their HR Departments Don’t Understand Cybersecurity Hiring Needs

                                                              While human resources departments may think they’re doing a bang-up job of pre-screening cybersecurity candidates, nearly three-quarters of ISACA-surveyed IT professionals seem to think otherwise. Data from the ISACA State of Cybersecurity 2020 report indicate that IT pros think that HR occasionally (37%), rarely (30%) or never (5%) understands their needs.

                                                              23. 85% of IT professionals report having at least one certification

                                                              How many IT-related certifications do you have? How about your employees? Eight in 10 IT professionals say they have at least one industry-related certification, according to Global Knowledge. This means that if you’re looking to hire, four out of every five job applicants have at least one certificate, although many professionals have multiple certifications.

                                                              Wondering what certifications hiring managers are looking for? Check out these insights from industry experts.

                                                              24. In the U.S., the Cyber Security Workforce Needs to Grow 62% to Meet Demands

                                                              You’ve probably seen news headlines and other cyber security statistics articles talking about how unemployment rates within the cybersecurity industry hover near 0%. Research from ISC2’s 2019 Cybersecurity Workforce Study also shows that in order for the industry to meet the needs of U.S. businesses, there needs to be significant employment growth to cover the nearly 500,000-person gap that exists. But the U.S. is still in a better position than the global cybersecurity workforce. ISC2’s estimates indicate that the cybersecurity workforce needs to grow 145% to meet the demand of global businesses.  

                                                              25. IT Security Architect/Engineer Role Is Biggest Area IT Personnel Are Lacking

                                                              While there are many areas in which cybersecurity skills are having shortfalls, research from CyberEdge Group’s 2020 Cyberthreat Defense Report shows that there are three areas where organizations are experiencing the biggest skills shortages:

                                                              • IT security architect/engineers (34%),
                                                              • IT security administrators (33.3%) and
                                                              • Risk/fraud analysts (31.8%).

                                                              26. Cybercriminals Prey on Job Seekers at an Average Cost of $3,000 Per Victim

                                                              Although this particular cybersecurity statistic applies to all job seekers, we thought it would be a pertinent stat to include in this article as well. The FBI’s IC3 reports that victims have reported financial losses and damage to their credit scores as the result of fake job scams. According to their January press release:

                                                              “While hiring scams have been around for many years, cyber criminals’ emerging use of spoofed websites to harvest PII and steal money shows an increased level of complexity. Criminals often lend credibility to their scheme by advertising alongside legitimate employers and job placement firms, enabling them to target victims of all skill and income levels.”

                                                              In this section cyber security stats list, we’ll go over some of the top cyber attack statistics and data breach statistics that we found that we think would be of interest to you. The focus of this section isn’t to talk about the financial costs of individual cyber attack events and breaches — those types of numbers will be discussed a little later in the two sections that list the top cyber attack statistics by year (2020 and 2019).  

                                                              27. Americans Experience a 29% Decline in U.S. Robocalls in April 2020 Due to COVID-19 Pandemic

                                                              Cybersecurity stats graphic showcasing decline in robo calls

                                                              Ah, here’s the silver lining! YouMail reports that Americans received nearly 30% fewer robocalls in April 2020 — only 2.86 billion (although I argue that even just one is too many). This is likely because international call centers in some countries are closed due to the virus. This decrease in calls follows a 30% drop in March and nearly a 45% drop in February — a stark contrast from the October 2019 record 5.7 billion calls that were reportedly made.

                                                              28. 7 Million: The Number of Data Records Compromised Daily

                                                              Varonis reports that there are approximately 7 million data records compromised each day, and 56 records compromised each second. This means that in the average year (365 days), based on the number of daily breaches, there’s about 2,555,000,000 (2.55 billion) records exposed annually.

                                                              29. SonicWall Reports Phishing Volume Was Down 42% in 2019

                                                              A surprising statistic that comes from SonicWall’s 2020 Sonicwall Cyber Threat Report indicates that the overall number of phishing attacks decreased significantly last year. Part of this is because “Phishers are being measured, pragmatic and patient” in how they choose and target their victims. Basically, they’re relying less on a spray-and-pray method and are making their attacks more focused and, therefore, more effective.

                                                              30. 8.4 Million DDoS Attacks Were Observed in 2019

                                                              There were more than 23,000 DDoS attacks each day last year, according to the NETSCOUT Threat Intelligence Report: Findings from 2H 2019. Netscout researchers equate that to about 16 attacks occurring every minute in 2019. That’s literally one attack every 3.75 seconds! According to the report, cybercriminals took advantage of seven “new or increasingly used attack vectors” to help them carry out their distributed denial of service attacks.

                                                              31. Deepfake Scams: A $250 Million Problem in 2020

                                                              This is probably one of the most disturbing items on our list of cybersecurity statistics. As part of their 2020 cybersecurity predictions, Forrester Research predicts that the costs associated with deepfake scams are going to cost the world more than $250 million this year.

                                                              In case you’re not familiar with deepfake technology, deepfake scams use artificial intelligence (AI) and natural language generation technologies to fabricate seemingly real video and audio clips of a person. While this technology could be used for positive things like booking reservations at restaurants (although, really, how lazy are we that we would require a computer to do this for us?), the issue comes in when cybercriminals get their hands on it.

                                                              To carry out a deepfake scam, threat actors use these generated pieces to impersonate people and pull off phishing attacks and other scams. So, now imagine when they use spoofing tactics on top of it. So, you could get a phone call from someone who sounds like your boss, using their phone number, and you might not be any the wiser.

                                                              While we’d like to hope that these scams aren’t going to be a big threat because of the amount of resources involved in preparing for one of these attacks, unfortunately, we’re already starting to see the impact of this technology. Deepfake scams have already proven successful with the CEO of an unnamed U.K.-based energy firm losing $243,000 to such a scam last year.

                                                              32. Cloud-Based BEC Email Scams Top $2.1 Billion In Costs to U.S. Businesses

                                                              In April, the FBI’s IC3 team reported that between January 2014 and October 2019, they received numerous complaints about BEC scams targeting U.S. businesses that involved two cloud-based email services. Unfortunately for those affected organizations, these attacks resulted in actual losses of more than $2.1 billion during that period.

                                                              But what exactly falls under the category of cloud-based email services? The IC3 says that these services are:

                                                              “[…] hosted subscription services that enable users to conduct business via tools such as email, shared calendars, online file storage, and instant messaging.”

                                                              33. 279: The Mean Number of Days It Takes to Identify and Contain a Data Breach

                                                              It’s no secret that the faster you can contain a data breach, the less of an impact it’ll have on your business financially. But this isn’t very comforting considering that research from the Ponemon Institute and IBM in their 2019 Cost of a Data Breach report indicates that the mean amount of time it took to identify a threat in 2019 was 206 days, and the mean time to contain it was 73 days. This means that the costs could really pile up in the nearly 280 days it takes to discover and contain a breach.

                                                              34. SEGS Fail to Stop 99.5% of “Non-Trivial Email Spoofing Attacks”

                                                              Next on our list of cybersecurity statistics is a topic relating to spoofing. Ironscales reports that nearly all of the 100,000+ verified spoofing attacks they studied over a two-year period made it through secure email gateways (SEGs). The same Ironscales survey also shows that the two most common type of spoofing attack used to bypass SEGs are “exact sender name impersonations” (73.5%) and “similar sender name impersonations” (24%). 

                                                              This is just one of many points on this growing list of cybersecurity statistics that underscores the importance of cyber awareness training for your employees. Technology isn’t always going to be able to keep out every threat — this is why your employees need to understand how to identify these threats themselves by carefully analyzing emails before engaging with any links or attachments in them.

                                                              35. Cyber Fraud and Abuse Up 20% in Q1 2020 with 445 Million Attacks Reported

                                                              With the three-ring circus security mess surrounding the COVID-19 global pandemic, cybercriminals are having a field day at the expense of individuals and organizations alike. In their Q2 2020 Fraud and Abuse report, Arkose Labs reports a 20% spike in cyber fraud incidents as a result of the virus. In fact, their research states that 445 million cyber attacks have been detected since the beginning of 2020.

                                                              Considering that there’s still no end in sight regarding the virus situation, we’ll likely see these numbers continue to increase.

                                                              36. COVID-19 Email Scams Increased More Than 650% in March 2020

                                                              I know, you’re tired about hearing about COVID-19, aka the Coronavirus. But it’s important to note the role that this pandemic has played in the cybersecurity sector. This brings us to number 36 on our list of cybersecurity statistics. Barracuda Networks reported in March that COVID-19-themed spear phishing emails skyrocketed 667% between March 1 and March 23.  

                                                              37. 50.55: The Average Number of Days It Takes to Remediate Web App Critical Vulnerabilities

                                                              Graphic representing 50 days on a calendar

                                                              According to their 2020 Vulnerability Statistics Report, Edgescan research indicates that organizations reported in 2019 that it took nearly eight weeks to “remediate critical risk vulnerabilities for public internet-facing web applications and 49.26 days for internet-facing network layer critical risk vulnerabilities.” While 50 days is still a long time, it’s actually a decrease of 18 days since 2018.

                                                              38. Gaming and IT Platforms Experience 39% Increase in Attacks in Early 2020

                                                              Times are changing, and cybercriminals are changing their behaviors and avenues of attacks to match. According to Akrose Labs’ Q2 2020 Fraud and Abuse report, more people are spending a greater amount of time communicating personally and professionally online as the result of the Coronavirus. As such, they’ve witnessed an increase in cyber attacks targeting specific industries — retail and travel (26%), gaming (23%) and tech platforms (16%).

                                                              39. Gift Cards Account for 62% of BEC Attack Cash-Out Methods in Q4 2019

                                                              Cybercriminals are always looking for the easiest or most effective ways to scam people, and the same can be said about their approach to getting a payout. In this item on our list of cyber security statistics, data from Agari’s Q1 2020 Email Fraud & Identity Deception Trends Report indicates that nearly two-thirds of business email compromise (BEC) attacks in Q4 2019 involved requested payments from victims via gift cards. The next most common payment method was direct transfer (wire transfer), which comes in at 22%.

                                                              Cybercriminals love gift cards for many reasons — one of which is that this form of digital currency isn’t held to the same anti-fraud standards as their credit and debit card counterparts. Another reason is that they can turn around and sell the gift cards they fraudulently gain in online exchanges at a profit. These cards are also easier to trade and use at legitimate businesses — after all most store employees won’t think twice about someone using a gift card, but they may ask for ID when you use a credit card to make a large purchase.

                                                              40. The Average Cost of a BEC Fraud Wire Transfer Payment Is More Than $55,000

                                                              While it may not be the most commonly requested payment method, wire transfer requests are, by far, the most potentially profitable for BEC cybercriminals. Agari’s Q1 2020 Email Fraud & Identity Deception Trends Report states that while the average gift card request was $1,627, the average amount they requested that their targets pay via wire transfers was nearly $55,395. That means that BEC fraudsters are requesting 3,305% more via individual wire transfers than they do in individual gift card payments!

                                                              Part of the reason why these are so profitable is that BEC scammers target large organizations and enterprises that regularly make large wire transfer as part of everyday business transactions. Someone may think twice if they’re asked to buy a $50,000 gift card, but they may not bat an eyelash if they’re asked to make a wire transfer payment of that size to a vendor because they’re used to doing that as a regular business expense.

                                                              41. 44% of “Non-Leader” Organizations Report At Least 500,000 of Their Customer Records Exposed

                                                              Accenture’s Third Annual State of Cyber Resilience report breaks the organizations they survey down into two groups: leaders and non-leaders. The first includes organizations whose cybersecurity programs cover 85% of their organization; the latter encompasses organizations whose cybersecurity programs cover a little more than half.

                                                              With this in mind, 44% of those “non-leader” organizations say that more than 500,000 customer records were exposed last year. This is a stark contrast from those who are considered “leaders,” only 15% of whom indicate that same level of customer data exposure.

                                                              Cyber Security Statistics: A By-the-Numbers Look at Victims and Compromised Records Data

                                                              42. Le Figaro Database Misconfiguration Exposes 7.4 Billion Records

                                                              Graphic representing the Le Figaro database leak

                                                              Security Detectives researcher Anurag Sen and his team discovered an enormous data leak from Le Figaro, France’s major news site. Bleeping Computer reports that the 8 TB of data, which was hosted on a Poney Telecom Elasticsearch server, contained a variety of PII of site users, including:

                                                              • Full names
                                                              • Addresses
                                                              • Email addresses
                                                              • IP Addresses
                                                              • Passwords (in cleartext, hashed with DM5)

                                                              Some of the exposed data, such as full names and email addresses, belonged to Le Figaro’s employees and reporters. The researchers say that both new accounts and pre-existing accounts that were accessed between February and April 2020 were part of those records. Sacre bleu!

                                                              43. 91 Million Tokopedia Accounts and Passwords Listed for Sale on the Dark Web

                                                              Under the Breach, a cybersecurity firm, shared with BleepingComputer that a hacker was selling a cache of accounts and passwords for 91 million Tokopedia users. The cost? Just a measly $5,000. The article reports that although only a small subset of the PostgreSQL database fields actually contain sensitive data:

                                                              “The most serious of the exposed data consisted of a user’s email address, full name, birth date, and hashed user passwords. Some of the exposed accounts also had their mobile device’s Mobile Station International Subscriber Directory Number (MSISDN) listed.”

                                                              44. Aptoide Data Breach Exposes More Than 20 Million Customer Records

                                                              Aptoide, a third-party Android app store, reported a breach of its database in April 2020 that led to the exposure of more than 20 million customer records. The company reports that “Besides your email address used for login and encrypted password, no Aptoide user’s personal data is in the database.

                                                              Oh, that’s reassuring… Only your login and passwords have been exposed. Considering that a large percentage of users say that they re-use passwords and login credentials across multiple accounts, this is something many affected users should be concerned about.  

                                                              45. More Than 15 Billion Records Exposed in Data Breaches in 2019

                                                              Last year was another “worst year on record” with regard to data breach activity, Risk Based Security reports in their 2019 Year End Report Data Breach QuickView. That statement is to be expected considering that the company reports that 7,098 breaches resulted in the exposure of more than 15.1 billion records.  

                                                              While the number of breaches themselves increased only slightly over 2018, the number of exposed records jumped 284% over the exposed records reported in 2018, and increased 91% compared to the same data reported for 2017.

                                                              46. 9.2 Million Suspicious Emails Reported in 2019

                                                              While that may not seem quite as bad as some of the numbers you’ve seen so far on this list of cybersecurity statistics, what’s important to note is that this number represents only the suspicious emails that were reported by the end users of Proofpoint’s customers in 2019. This is a 67% increase over what they reported the year prior. And, again, this is just the end users related to one company’s customers. But, at least, it gives a little perspective of what’s going on in the industry as a whole.

                                                              47. 425 GB of Sensitive Records Leaked Due to Financial Companies’ Unsecure Database

                                                              More than half a million sensitive and confidential financial and legal records were exposed as part of a 425 GB treasure trove, ZDNet reports. The data, which was discovered by a vpnMentor’s research team, came from an open database that was connected to MCA Wizard, an app that was developed by Argus Capital Funding and Advantage Capital Funding. According to ZDNet’s report, the AWS S3 bucket lacked basic security measures — such as encryption, authentication measures or access credentials.

                                                              48. The PII of 10.6 Million MGM Resorts Guests Compromised in 2019 Attack

                                                              In February 2020, ZDNet reported that MGM Resorts stated that the personally identifiable information (PII) of 10,683,188 former guests was discovered to have been accessed from a cloud server in 2019. The majority of the exposed information includes the guests’ names and phone numbers.

                                                              According to the ZDNet report:

                                                              “Besides details for regular tourists and travelers, included in the leaked files are also personal and contact details for celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.”

                                                              49. Brazilian Biometric Company Exposes 81.5 Million Records, Including Fingerprints, on Unsecure Server

                                                              The use of biometric data is often considered one of the most secure forms of security authentication. Biometrics includes a variety of identifying factors and technologies such as retinal scans, facial recognition software, and fingerprint scanning. But Security Detectives researcher Anurag Sen and his team discovered 16 GB worth of data on an unsecured Elasticsearch server belonging to Antheus Tecnologia, a Brazilian biometric solutions provider. The database included 76,000 fingerprints, as well as employee company emails and telephone numbers

                                                              According to a CNet report, Antheus Tecnologia said that there wasn’t any sensitive data on the server, and that the fingerprints didn’t come from customers and was actually publicly available data from its development team and NIST.

                                                              50. U.S. Federal SBA Loan Program Data Breach Exposes Nearly 8,000 Business Applicants

                                                              As if many small businesses weren’t struggling enough already due to the Coronavirus situation, it turns out the website for the federal government’s Economic Injury Disaster Loans (EIDL) program was the source of a data breach. In March, the Small Business Association (SBA), which manages the applications for program, sent out letters to the impacted applicants informing them that their PII, financial and insurance information may have been exposed.

                                                              How is this possible? It boils down to a web application flaw. Simply by hitting the “back” button during the first round of the online loan application process resulted in the app displaying the information entered by previous applicants.

                                                              There’s no telling yet as to who saw whose information, or whether any leaked information has been used maliciously. Only time will tell.

                                                              51. The PII of 6.5 Million Israeli Voters Leaked via App-Promoting Website

                                                              The personal data of 6,453,254 Israeli voters was leaked via flawed software for a voting app called Elector, the news organization Haaretz reports. The leaked information included vital information, including:

                                                              • Full names
                                                              • Identity card numbers (akin to social security numbers in the U.S.)
                                                              • Genders
                                                              • Phone numbers
                                                              • Other unspecified personal details

                                                              The software vulnerability made it possible to not only view but also download the entire voter registry, according to The New York Times. Considering the entire population of the country is estimated to be around 8.6 million, according to the most recent data from the United Nations, we’re talking about the majority of the country’s population.

                                                              52. 530,000+ Compromised Zoom Accounts Sold (or Given Away) Online

                                                              Zoom’s not-so-secure encryption has been a hot topic of debate. But something more people have been interested in is that more than a half-million Zoom accounts were being peddled via the dark web and hacker forums for as little as $0.0020 per account, according to Bleeping Computer.

                                                              The accounts were obtained using “credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches.” Bleeping Computer reports that they were informed about the breach by researchers at the cybersecurity firm Cyble.  

                                                              53. 160,000 Nintendo User Accounts Compromised via Legacy Network Accounts

                                                              We mentioned earlier that cyber attacks on the gaming industry are increasing. Here’s one of those examples. The Japanese game company Nintendo reported unauthorized access to about 160,000 accounts via Nintendo Network IDs (NNIDs). Compromised information includes nicknames, dates of birth, country/region, and email addresses. However, no credit card information was reportedly access during the breach.

                                                              Cyber Security Statistics: The Costs of the Top Cyber Attacks and Data Breaches in 2020 (So Far)

                                                              54. Hackers Demand $42 Million Ransom for A-Lister Law Firm’s Data

                                                              Page Six reports that a New York entertainment law firm used by major celebrities around the world was the target of a ransomware attack. The attackers, a hacker group by the name of REvil, initially demanded payment of $21 million of Grubman, Shire, Meiselas & Sacks to prevent them from releasing documents from the 756 GB cache of the firms’ celebrity clients’ confidential documents, emails, and contracts that they stole. The article stands that the hackers’ ransom demands have since doubled to $42 million.

                                                              According to a statement issued by the law firm to Page Six:

                                                              “Despite our substantial investment in state-of-the-art technology security, foreign cyberterrorists have hacked into our network and are demanding $42 million as ransom. We are working directly with federal law enforcement and continue to work around the clock with the world’s leading experts to address this situation.”

                                                              Whether or not they decide to pay — which it doesn’t sound like the law firm is willing to do — remains to be seen. We’ll just have to stay tuned to see how the situation turns out.

                                                              55. Three BEC Attacks Cost the Puerto Rican Government $4 Million

                                                              According to a report by the Associated Press, the Puerto Rican government lost a total of more than $4 million in three separate business email compromise attacks in January 2020. Of the losses, $2.6 million alone came from an attack that targeted Puerto Rico’s Industrial Development Company, and another $1.5 million targeted Puerto Rico’s Tourism Company — both of which are government-owned organizations.

                                                              56. Shark Tank Investor Barbara Corcoran Loses Nearly $400,000 to a BEC Scam

                                                              In February 2020, a cybercriminal decided to take a bite out of real estate tycoon and business investor Barbara Corcoran. She was the victim of a successful business email compromise (BEC) scam that cost her $388,700.11, according to People Magazine. The attack, which was later traced to a Chinese IP address, occurred when the criminal, posing as Corcoran’s assistant, sent an email to Corcoran’s bookkeeper requesting a wire transfer to pay for a real estate renovation.

                                                              Thankfully, for Corcoran, USA Today reports that the money has since been returned. So, how did the attack originally happen? In the USA article, Corcoran says:

                                                              “The detail that no one caught was that my assistant’s email address was misspelled by one letter, making it the fake email address set up by the scammers.”

                                                              57. Americans Lose $24.44 Million to Coronavirus-Themed Scams (So Far)

                                                              As if that number isn’t bad enough on its own — just remember, this is likely only the beginning. The Federal Trade Commission (FTC) reports that they recorded 36,238 complaints between Jan. 1 and May 5, 2020 with total losses approaching $25 million. The states with the highest numbers of complaints include California (4,010), Florida (2,515),  New York (2,220), Texas (2,196) and Massachusetts (1,515).

                                                              Cyber Security Statistics: The Costs of BEC Scams, Cyber Attacks, and Data Breaches in 2019

                                                              58. $3.92 Million Is the Average Total Cost of a Data Breach

                                                              Graphic: Average data breach cost

                                                              Although this research is from 2019, the Ponemon institute and IBM’s 2019 Cost of a Data Breach Report is still a great resource for getting current estimates of costs associated with data breaches. Their data reports a total average cost of $3.92 million per data breach at a cost of $150 per lost record.

                                                              Their report also indicates that a breach that has a lifecycle of less than 200 days costs $1.2 million less than one with a lifecycle that extends past 200 days.

                                                              59. $37 Million — The Amount a Toyota Subsidiary Lost to a BEC Scam in August 2019

                                                              2019 wasn’t a great year for Toyota and its subsidiaries when it comes to cybersecurity. Proofpoint reports that Toyota Boshoku, a subsidiary of the Toyota car manufacturing company, lost tens of millions of dollars to a BEC scam.

                                                              According to a news release from the Toyota Boshoku Corporation:

                                                              “a recent case involving fraudulent payment directions from a malicious third party […] has resulted in a financial loss at our European subsidiary.”

                                                              60. Nikkei America Lost $29 Million to EAC Attack in September 2019

                                                              Nikkei America, the U.S. subsidiary of Japan’s media conglomerate, was the target of an email-based attack. Nikkei, Inc. (Japan) reports that an employee at its American subsidiary made a wire transfer based on instructions that were received via email from someone pretending to be a company executive.

                                                              While the official statement says that they’re “taking immediate measures to preserve and recover the funds that have been transferred,” there’s been no follow up stating whether their efforts have been successful.

                                                              61. Texas School District Loses $2.3 Million to Phishing Scam

                                                              Looks like a cybercriminal decided to try their hand at “schooling” the education system with this next point on our list of cybersecurity statistics. Manor Independent School District reported on Twitter that it lost around $2.3 million due to a phishing scam, according to a report by CNN. The attack, which involved three fraudulent transactions, took place in November 2019 but weren’t publicly reported until January 2020.  

                                                              62. Erie, Colorado Loses $1.01 Million to a BEC Scammer Posing as Construction Company

                                                              Cybercriminals are, unfortunately, very creative and always come up with new ways to shake down businesses. In this particular situation, a scammer pretended to be a local construction company that completed work on the Erie Parkway Bridge, the Denver Post reports. The criminal submitted an online request via the town’s website that asked for any future payments made for work completed to be paid electronically. Two payments, totaling more than a million dollars, were then subsequently wired electronically to the cybercriminal’s account where they were then transferred elsewhere.

                                                              Security Intelligence also reports that even though the town had guidelines in place, the staff member who accepted the changed payment information form didn’t follow them.

                                                              63. Chinese Venture Capital Firm Loses $1 Million in Seed Money in Elaborate Scam

                                                              A Chinese venture firm that had a deal with an Israeli startup lost $1 million to an elaborate targeted phishing campaign that used a combination of BEC tactics, look-alike domains and a MitM attack, Check Point reports. Not only did the threat actor use spoofed emails to communicate with both groups, while impersonating real contacts on both sides, but the cybercriminal also registered two fake domains that looked nearly identical to the organizations’ websites.

                                                              The entire attack involved a total of 32 emails — nearly three dozen messages — between the attacker and the two firms!

                                                              Cyber Security Statistics: A Look at the Types of Threats That Can Impact Your Business

                                                              Cybercriminals are always seeking out new and inventive ways to victimize their targets. Sometimes, it’s just putting a new shade of lipstick on the pig by applying new tactics to old scams. But regardless of the tactics they use, it’s up to us as businesses, government agencies, and consumers to educate ourselves and our employees about these threats.

                                                              Next on our list of cyber security statistics, we’ve put together some categories or areas to look out for when working to strengthen your cyber defenses:

                                                              Employee Complacency or Collaboration Issues

                                                              64. 63% of Emerging Organizations Ignore More Than 25% of Security Events and Alerts

                                                              AT&T’s previously-referenced benchmark report for The Relationship Between Security Maturity and Business Enablement study shows that more than nearly two-thirds of leading organizations ignore more than 25% of their security alerts and events because investing every individual alert is too “impractical.” More than half (52%) of following organizations and 27% of leading organizations say the same.  

                                                              65. 77.4% of Respondents Indicate Poor Relationships Exist Between Their IT and Security Teams

                                                              Collaboration is critical when it comes to making an organization’s cybersecurity programs and initiatives most effective. However, it’s not all sunshine and rainbows when it comes to collaboration between IT and security teams, according to VMWare Carbon Black’s March 2020 Cybersecurity Outlook Report. The study, which was conducted by Forrester Consulting, indicates that more than three-quarters of survey respondents view the relationship between the two groups as being sour.

                                                              66. 55% of organization Say Collaboration Needs to Be a Top Priority

                                                              The good news, at least, is that the majority of organizations realize that collaboration is key to improving their overall cybersecurity. Data from VMWare Carbon Black’s Cybersecurity Outlook Report indicates that more than half of their survey respondents indicate that they want to make collaboration between their IT and security teams a top priority over the next year.

                                                              Poor Asset Visibility and Management

                                                              67. 74% of Organizations Don’t Know How Many Digital Keys and Certificates They Have

                                                              Nearly three-quarters of the respondents from KeyFactor and the Ponemon Institute’s 2020 public key infrastructure research study report that their organizations are unaware of the total number of keys and digital certificates they actually have or use. Why? Because they lack visibility into their PKI certificate management. This includes the use of X.509 digital certificates such as SSL/TLS certificates.

                                                              So, if you don’t know how many certificates you have — let alone where to find them or when they expire — how can you possibly manage or renew them before they expire? Simply put: you can’t.

                                                              Certificate Management Checklist

                                                              Manage Digital Certificates like a Boss

                                                              14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.

                                                              68. 64% of Professionals Don’t Know All of Their Organization’s Endpoints and Web Apps

                                                              What a disturbing thought. What if more than two-thirds of your own employees had no clue how many web applications or endpoints your organization had? This is the case for most of the pros surveyed in Edgescan’s 2020 Vulnerability Statistics Report. Of course, what makes this worse is that 68% seem to believe their level of visibility is “average” within the industry.

                                                              Defense Evasion Behaviors

                                                              69. 90% of Analyzed Malware Demonstrate Defense Evasion Behaviors

                                                              Just when you thought the issue with malware and ransomware couldn’t get worse, VMWare Carbon Black shows up with attacker behavior data that digs that knife a little deeper. Their report, which maps out their attack data according to the MITRE ATT&CK™ Framework, states that defense evasion behaviors were observed in nine out of 10 samples of malware that they analyzed. This indicates that cybercriminals are being more stealthy in their approach and are actively trying to attack around legacy security solutions. This behavior was observed in 95% of ransomware samples.

                                                              70. 48% of Malware Demonstrate Software Packing and Hidden Windows for Defense Evasion Tactics

                                                              Software packing, a “method of compressing or encrypting an executable” (according to MITRE), was the most common malware evasion behavior that VMWare Carbon Black observed in their analysis of the top malware behaviors of 2019. This category encompasses 26% of the samples, and hidden windows constituted 22%.

                                                              Domain Impersonation/Spoofing

                                                              71. Domain Impersonation Attacks Increase 400% in 4 Months

                                                              In January 2020, Barracuda researchers reported that they’d observed an enormous jump in domain-impersonation attacks in relation to conversation hijacking. The company reported that they detected around 500 such attacks weekly in July 2019, but that the number quadrupled to more than 2,000 of these attacks per week in November 2019.

                                                              Their research shows that this jump means that there were more than 2,000 attacks in the month of July 2019 alone and 8,500 attacks in November 2019. (The numbers in the source article are a bit unclear in terms of how the data was displayed in their article, so I reached out to Barracuda directly for clarification.)

                                                              Lack of Visibility and Enforced Processes

                                                              72. 46% of Professionals View Third-Party Access, Visibility as Barriers to IT Security Responses

                                                              Nearly half of the professionals who responded to Experian’s Seventh Annual Data Breach Preparedness Study indicate that a “lack of security processes for third parties that have access to our data” is a major barrier to their data breach response capabilities. Furthermore, 60% also indicated that a “lack of visibility into end-user access of sensitive and confidential information” is among the biggest impediments.

                                                              HTTPS and Website Phishing

                                                              73. Every 20 Seconds a New Phishing Site Goes Live

                                                              As if website phishing wasn’t already a bit enough issue, Wandera reports in their 2020 Mobile Threat Landscape Report that a new phishing site launches every 20 seconds. That’s three new sites per minute that are specifically designed to victimize users and steal their information!

                                                              74. 74% of Phishing Websites Are Served Via HTTPS Protocol

                                                              Just because you’re connected to a website using an encrypted connection doesn’t mean your data’s safe. It’s just as — if not moreso — important that you know what site or organization you’re connecting to! Using data from PhishLabs, the Anti-Phishing Working Group’s (APWG) Q4 2019 Phishing Activity Trends Report reports that nearly three-quarters of all phishing sites now use encrypted connections via SSL/TLS protocols.

                                                              75. 60% of Websites Use HTTPS as the Default Protocol

                                                              We’re happy to say that use of the HTTPS protocol is growing. W3Techs usage statistics show that as of May 8, 2020, nearly two-thirds of all sites use the HTTPS protocol as their default. This number is up from a little more than 50% in May 2019. The tricky part, though, is that some of these sites are going to malicious websites. This is why it’s important to assert organizational identity on your site via an SSL/TLS certificate to help site visitors determine whether your site is legit or a fake.

                                                              Insider Threats (Intentional or Negligence)

                                                              Graphic: Illustration of an employee insider threat

                                                              76. Cyber Incidents Involving Insider Threats Jump 47% Since 2018

                                                              It’s no secret that humans are frequently the weakest link in your security defense — but new research from the Ponemon Institute further substantiates this claim. In their 2020 Cost of Insider Threats Global Report, published on behalf of ObserveIT and IBM, their findings indicates that the threat of insider threats is growing rapidly — nearly 50% in the last two years. Furthermore, their research shows that the average annual costs associated with these security threats rose 31% to $11.45 million over the same period.

                                                              77. Costs Associated with Insider Threat Prevention and Investigations Increases 60% since 2017

                                                              The Ponemon Institute’s 2020 Cost of Insider Threats Global Report (sponsored by ObserveIT and IBM) also indicates that organizations are spending significantly more to detect and investigate insider threat-related activities. Specifically, the costs of insider threats to the financial services industry has increased more than 20% to $14.5 million since 2018.

                                                              78. Insider Threats and Insider Attacks Top the List of Biggest IT Security Challenges

                                                              When it comes to judging their organizations’ levels of functional security, respondents to CyberEdge Group’s 2020 Cyberthreat Defense Report indicate that their greatest challenges relate to worrisome employee behaviors. They view the difficulty of detecting rogue insiders and insider threats as their biggest concern. This is closely followed by a lack of user security awareness. This might boil down to a lack of internal resources that they can use to train as well as monitor their employees.

                                                              79. Data Breaches Resulting from Human Error Cost Organizations an Average of $3.5 Million

                                                              It’s no secret that people are considered the biggest cybersecurity vulnerability for organizations. Data from the 2019 Cost of a Data Breach Report by the Ponemon Institute and IBM does nothing to squelch that concern. In fact, many of the cyber security statistics they share in their research further serve to underscore this concern. That’s because their research indicates that human error results in data breaches that cost an average of $3.5 million.

                                                              While this amount is more than what they estimate system errors or glitches cost (an average of $3.24 million), it’s still at least less than the average cost of malicious and criminal attacks, which have a price tag of $4.45 million.

                                                              80. 90% of Working Adults Use Employer-Issued Devices for Non-Work Activities

                                                              Nine in 10 working adults report using their employer-issued devices for personal activities, according to Proofpoint’s 2020 User Risk Report. Around half of those surveyed also indicated that they also give their friends and family members access to those devices as well.

                                                              IoT Security

                                                              81. 83 Billion IoT Connections Expected to Be Made by 2024

                                                              New data from Juniper Research indicates that the total number of IoT connections will reach 83 billion by 2024. This is up from estimates of 35 billion connections in 2020, which represents a growth of 130% over the next four years. The industrial sector — which includes agriculture, manufacturing, and retail — is expected to account for more than 70% of those connections in that period.

                                                              82. Only a 5% Increase in IoT Malware Observed by SonicWall in 2019

                                                              While they report only a moderate (5%) increase in IoT malware (equating to about 34 million attacks) in their 2020 Sonicwall Cyber Threat Report, SonicWall Capture Labs threat researchers say that doesn’t mean you can let down your guard. In fact, you should be preparing for the likelihood of increases in such attacks.  

                                                              For additional IoT-specific cyber security statistics, be sure to check out our article 20 Surprising IoT Statistics You Don’t Already Know.

                                                              Malicious ReCaptcha

                                                              83. A Single Phishing Campaign Had More Than 128,000 Emails Using Fake ReCaptcha

                                                              As we mentioned earlier, cybercriminals are always trying to put new shades of lipstick on their pigs. In this case, Barracuda researchers report that phishing email scams using malicious reCaptcha to block detection are on the rise. One email phishing campaign that the company analyzed contained “more than 128,000 emails using this technique to obfuscate fake Microsoft login pages.” 

                                                              According to the article, “reCaptcha walls to prevent automated URL analysis systems from accessing the actual content of phishing pages.” So, essentially, cybercriminals are preventing email security systems from identifying malicious websites.

                                                              Password Security

                                                              84. 65% of Users Use the Same Password Across Multiple Accounts

                                                              Graphic of an unknown password

                                                              With so many PSAs warning against the dangers of re-using passwords and the availability of key managers, we’re exasperated to see that the number is still so high. According to the February 2019 Online Security Survey by Google and Harris Poll, 52% of users report using the same passwords across multiple accounts, and another 13% report reusing the same password across all accounts.

                                                              85. 24% of Survey Respondents Use a Password Manager

                                                              The same Google/Harris Poll February 2019 Online Security Survey also reports that fewer than one-quarter of survey respondents indicate that they use a password manager. Surprisingly, the individuals who are more likely to rely on password managers are those who are age 50 and up. 


                                                              86. 94% of Malware Is Delivered via Email

                                                              Nearly 9 in 10 instances of malware are delivered using emails as their delivery method, according to Verizon’s 2019 Data Breach Investigations Report (DBIR). Of those types of malware, 45% are Office docs.

                                                              87. 86% of Email Attacks Lack Malware

                                                              The bad news is that almost 9 in 10 email-based cyber attacks don’t use malware, meaning that they’re more likely to make it through your email security defenses. The really bad news is that this just means that cybercriminals are using other tactics to pull off their attacks. Data from FireEye indicates that cybercriminals are more commonly using spear phishing and various impersonation-based attacks to pull off their goals.

                                                              88. 37.9% of Users Fail Phishing Tests

                                                              Data from KnowBe4’s Phishing by Industry Benchmarking Report indicates that nearly 38% of untrained end users are susceptible to phishing attacks and will fail phishing tests. This increase is a significant jump over their 2019 report of 8.3%.

                                                              So, is there any good news?

                                                              Yes, there is. KnowBe4’s “phish-prone percentage” (PPP) data indicates that computer-based training and simulated phishing tests can help to improve those numbers:

                                                              “And after one year of monthly simulated phishing tests and regular training, the PPP further declines to just 4.7%. Across all industries, there’s an average 87 percent improvement rate from baseline testing to 12 months of training and testing.”

                                                              89. More Than 3,900 Unique Users Fell for Mobile Banking Phishing Attack Over a 7-Month Period

                                                              Recent data from Lookout indicates that nearly 4,000 victims fell for a mobile-only phishing attack campaign that targeted mobile banking users via SMS messages. The threat actors sent phishing links to fake websites impersonating well-known banks in North America to capture their sensitive info and login credentials. Their research shows the breadth of attacks globally with the U.S. being the hardest hit.

                                                              Image source: Lookout

                                                              Image source: Lookout

                                                              90. 87% of Successful Phishing Attacks Occur via Methods Other Than Email

                                                              As you can see from our list of cyber security statistics, phishing doesn’t only occur via email. Wandera reports in their 2020 Mobile Threat Landscape Report that nearly nine in 10 successful phishing attacks don’t rely on email and frequently operate via other avenues of attack. So, while it’s important to educate your users on the dangers of phishing emails, it’s vital that you don’t limit their education to only email concerns. Also be sure to educate them about the dangers of vishing (voice phishing), smishing (SMS phishing), and other phishing attack methods.

                                                              To see more information relating to phishing statistics, be sure to check out our article Phishing Statistics: The 29 Latest Phishing Stats to Know in 2020.


                                                              91. The Cost of Ransomware Attacks Topped $7.5 Billion in 2019

                                                              Last year, $7.9 billion cost of ransomware attacks were felt by healthcare providers, various government organizations, and educational institutions around the U.S., according to Emsisoft’s The State of Ransomware in the US: Report and Statistics 2019.

                                                              92. 85% of MSPs Rate Ransomware as a Common Threat to SMBs

                                                              Data from Datto’s Global State of the Channel Ransomware Report indicates that four-in-five managed service providers (MSPs) identified ransomware attacks as the leading malware threat to small and midsize businesses (SMBs).

                                                              93. 20% of SMBs Report Being Victims of One or More Ransomware Attacks

                                                              Datto’s Global State of the Channel Ransomware Report also states that one-in-five SMBs report their organizations have sustained ransomware attacks.

                                                              94. 10% Increase in Ransomware Detected in 2019 Despite Decrease in New Ransomware Families

                                                              The detection of new ransomware families decreased by 57% in 2019, Trend Micro reports. But despite the decrease in new families, the IT security company said they detected a 10% increase in detections in the same period. This means that cybercriminals are attempting to carry out more attacks using fewer varieties of ransomware.

                                                              95. Ransomware Increased Average Downtime to 16.2 Days in Q4 2019

                                                              Downtime is a costly and frustrating experience for any organization regardless of size. But its impact can be felt far beyond just money and time — it also takes a severe toll on your reputation and the trust users and consumers place in you. According to Coveware’s Q4 Ransomware Marketplace report, the downtime that resulted from ransomware attacks in the last quarter of 2019 jumped to an average of 16.2 days — a marked increase over their 12.1 day average reported the previous quarter.

                                                              For additional ransomware statistics, be sure to check out our article Ransomware Statistics You’re Powerless to Resist Reading.

                                                              Web Applications

                                                              96. Web Applications Attacks Increased 52% in 2019

                                                              In their 2020 SonicWall Cyber Threat Report, SonicWall Capture Labs reported that web application attacks more than doubled year over year. The main surge in attacks occurred after May, pushing the total number of web app attacks past 40 million. The main avenues of attack include SQL injections, broken authentication and session management, cross-site scripting (XSS), etc.

                                                              97. SQL Injection Accounts for 42% of Common Critical Internet-Facing Vulnerabilities

                                                              SQL injection, just like other injection attacks, involves injecting data into input fields to affect the execution of pre-defined commands. In this case, though, they involve the use of SQL commands specifically. Edgescan reports in their 2020 Vulnerability Statistics Report that SQL injections accounted for 42% (one in five) of the most common critical vulnerabilities in internet-facing web applications last year.

                                                              Cyber Security Statistics: A Breakdown of Cyber Attack Statistics by Industry

                                                              We know — while it’s interesting to read about cybersecurity statistics in general, it’s much more useful to read statistics that apply specifically to your industry. That’s why we’ve put together some industry-specific cyber security statistics that can shed some light on the types of threats or situation your organization — and others like it — are facing.

                                                              98. Three Industries Forecast to Account for 30% of Security Spending by 2023

                                                              The first in this section of our cybersecurity stats list encompasses several industries. Research from IDC’s Worldwide Semiannual Security Spending Guide indicates that nearly 30% of global security spending between 2019 and 2023 is forecast to come from the banking and discrete manufacturing industries, as well as federal/central government.

                                                              99. Healthcare Data Breach Costs Come in at an Average of $6.45 Million

                                                              The 2019 Cost of a Data Breach Report by the Ponemon Institute and IBM indicates that healthcare is the most expensive industry in terms of the total average cost per breach. They also had the longest data breach lifecycle — the time it takes to identify and contain a breach — of 329 days.

                                                              100. 700 Healthcare Providers, 110 Governments and Agencies Victim to Ransomware in 2019

                                                              Data from Trend Micro indicates that ransomware threat actors have healthcare and governments in their sights. More than 700 healthcare providers were affected by ransomware attacks last year, and these types of attacks — along with other cyber attacks — are causing life-threatening situations at hospitals. At the same time, the company reports that “at least 110 US state and municipal governments and agencies fell victim to ransomware.”

                                                              But what makes these organizations so at risk? Frequently, it boils down to:

                                                              • A lack of security awareness and hygiene,
                                                              • Reliance on aging and outdated legacy systems.

                                                              You’d think that after the WannaCry attacks of 2017 that crippled healthcare organizations and government agencies around the world that these types of organizations would be more proactive in updating their operating systems and patching vulnerabilities. But I guess some lessons are harder to learn than others…   

                                                              101. Early 2020 Observes a 32% Increase in Ransomware Attacks Against Energy/Utilities Organizations

                                                              Data from VMWare Carbon Black’s 2020 Cybersecurity Outlook Report shows that while 2019 was a year of notable attacks against healthcare providers (764) and state and municipal governments and agencies (113), the first three months of 2020 are showing a clear increase in attacks targeting another vertical: Energy/Utilities.

                                                              According to the report:

                                                              “The clear spike in both Energy / Utilities and Government suggests that as geopolitical tensions rise so do attacks on these sectors, which often serve as critical infrastructure and provide critical services to massive portions of the population.”

                                                              102. SaaS/Website Accounts for Nearly 31% of the Most Targeted Phishing Sectors in Q4 2019

                                                              It’s no secret that cybercriminals love gaining access to email accounts. So it makes sense in some ways that the undesirable “honor” of being the #1 targeted sector for phishing, according to the APWG’s Q4 2019 Phishing Activity Trends Report, goes to SaaS/webmail. This was followed by the payment industry (19.8%) and financial institutions (19.4%).

                                                              103. Collateral Damage: Satellite Telecommunications Experience 295% Increase in DDoS Attacks

                                                              Sharing IP space with other organizations sucks, and I’d have to say that no one realized that more than the satellite telecommunications industry by the end of 2019. NetScout’s NETSCOUT Threat Intelligence Report 2H 2019 reports that the frequency of DDoS attacks on satellite telecommunications skyrocketed nearly 300% in the second half of the year. Why? They attribute the increase to the result of the flood of DDoS attacks that impacted financial organizations in Europe and Asia minor during that period.

                                                              According to the report:

                                                              “By sharing large netblocks with organizations that didn’t have their own IP space, the satellite telecommunications providers experienced significant collateral damage from these attacks.”

                                                              Cyber security Statistics: IT and Data Privacy Compliance and Risk Management Statistics

                                                              Managing and mitigating risk is essential for every organization if they want to stick around. Part of that boils down to compliance with data security and privacy regulations — compliance isn’t optional. While not all data privacy and encryption laws and regulations will apply to every organization or business, it’s imperative that you and your employees know which ones do.

                                                              For example, if you handle protected medical or health-related information, then you need to familiarize yourself with HIPAA. If your business handles payments made via payment cards, then you need to know about PCI DSS compliance requirements. Not to mention GDPR, CCPA, NYDFS… the list goes on and on, and it’s continuing to grow as more countries and states create new laws and regulations.

                                                              On that note, here are some applicable cybersecurity statistics that we thought would be of interest on this topic:

                                                              104. 52% of Legal and Compliance Leaders Worry about COVID-19 Related Cybersecurity Risks

                                                              We know you’re likely tired of hearing about the Coronavirus, but we’re living in strange times. Many businesses — even if just temporarily — are adopting remote workforces due to the ongoing Coronavirus situation. The responses to a Gartner survey of 145 compliance and legal leaders indicate that organizational leaders are concerned about growing third-party cybersecurity risks as more their organizations are forced to allow their employees to work remotely. Their concerns range from the use of insecure networks to threats of bribery and corruption to fraud and privacy risks.

                                                              105. More than 40% of Privacy Compliance Technologies Anticipate Using AI by 2023

                                                              Another Gartner survey estimate that artificial intelligence (AI) will play a more significant role in privacy compliance technology within the next three years. With the advances we’ve been seeing in artificial intelligence (AI) — as well as the increasingly stringent data privacy and security related laws and regulations that have come out — in recent years, as well as the increasing reliance on AI within the cybersecurity industry, it seems like a logical next step in compliance and risk management.

                                                              106. 67% of Enterprise Survey Respondents Identify Data Visibility as Biggest Challenge

                                                              The handling of sensitive data is frequently an issue for businesses regardless of size. According to the Ponemon Institute’s 2020 Global Encryption Trends Study, more than two-thirds of the survey’s respondents say that their organization’s biggest challenge is locating sensitive information. Another 31% share that identifying and classifying which data to encrypt is another significant challenge.

                                                              107. Only 36.7% of Global Organizations Report Maintaining Full Compliance with PCI DSS

                                                              Graphic representing PCI DSS compliance

                                                              It’s a disturbing trend, but it’s one you need to know, which is why we’ve included it on our list of cybersecurity statistics. Slightly more than one-third of surveyed organizations say they were actively maintaining their Payment Card Industry Data Security Standards (PCI DSS) programs in 2018, according to Verizon’s 2019 Payment Security Report (PSR). This is a significant drop from the 55.4% who reported 100% compliance during interim validation in 2016!

                                                              108. Data Protection Compliance Programs: 20% Advanced, 0% Optimized

                                                              Verizon’s 2019 Payment Security Report reports that of the 55 organizations they surveyed for their 2018 PSR, only one-in-five rated their PCI data protection compliance programs (DPCP) as “advanced.” What’s worse is that none of them rated the maturity of their programs as “optimized.”

                                                              While it’s bad enough that so few organizations have DPCP programs that are considered advanced, what’s even worse is that many organizations don’t even bother to measure the maturity of their payment card industry (PCI) security programs at all!

                                                              109. 48% of Enterprises Report Having and Applying a Consistent Encryption Strategy

                                                              The 2020 Global Encryption Trends Study by the Ponemon Institute, sponsored by nCipher and Entrust Datacard, indicates that nearly half of the respondents indicate that their organizations have and consistently apply an encryption plan across their enterprises. Only 39% of respondents indicate that they have a limited plan that’s applied to specific types of data and applications. The first cyber stat represents an increase of 11% since FY 2015 and the second, a decrease of 6% in the same period.

                                                              Another 13% indicate that they have no encryption plan or strategy overall. This has been a pretty consistent number since it was reported in FY 2016.  

                                                              110. 58% of Organizations Use the Cloud for Sensitive or Confidential Data

                                                              The same Ponemon Institute 2020 Global Encryption Trends Study reports that more than half of respondents indicate that their businesses use cloud technology to transfer or store data — regardless of whether it’s encrypted or protected via any security mechanisms. This number decreased 2% from last year’s survey result of 60%.

                                                              Cyber Security Statistics: Cybersecurity Statistics By Location

                                                              So, what are some of the key cyber security stats if you’re more interested in looking at data that’s broken down by country or region? Yeah, we’ve got you covered for that as well with this location-specific cybersecurity data:

                                                              North America

                                                              111. $8.19 Million: The Average Cost of a Data Breach in the U.S.

                                                              The U.S. leads the way with the highest average cost of a data breach, according to the Ponemon Institute and IBM’s 2019 Cost of a Data Breach report. Not exactly the ranking we’re hoping for, but also not necessarily unexpected, either.

                                                              112. 44% of U.S. Users Indicate They Use Password Managers

                                                              Many cybersecurity experts promote the idea of using password managers. Here in the U.S., we have a far higher password manager usage rate than other countries, according to Proofpoint’s 2020 User Risk Report. Globally, only 23% of respondents indicate that they use a password manager.

                                                              South America

                                                              113. Phishing Attacks in Brazil Increased 275.5% Between Q1 and Q4 2019

                                                              Brazil, the largest economy in South America, experienced 24,251 phishing attacks in 2019, according to data from Axur, the APWG reports in its Q4 2019 Phishing Activity Trends Report. Q1 2019 had the fewest phishing attacks, with just 3,220 observed. However, in Q4 2019, they reported observing 8,872 such attacks.  That’s an increase of nearly 276% from Q1 to Q4!

                                                              114. 35.7% of Email URLs in Brazil Are Malicious

                                                              In other phishing news, Brazil also claims first place when it comes to having the highest percentage of malicious links in emails. According to Broadcom’s 2019 Internet Security Threat Report (formerly the Symantec ISTR), more than one-third of all emails contain malicious links. They’re followed by Mexico (29.7%), Norway (12.8%), and Sweden (12.4%).

                                                              115. 42% of Cyber Attacks in Colombia Resulted From Malicious Websites

                                                              Malicious websites are a threat to organizations, governments, and users the world over. But one in five survey respondents in Colombia said that their organizations were hit by cyber attacks in the last year that used this attack vector specifically, according to Sophos’ report The Impossible Puzzle of Cybersecurity.

                                                              Mexico and Central America

                                                              116. Nearly 94% of Organizations in Mexico Were Compromised in Last 12 Months

                                                              Topping the list of organizations that have experienced at least one successful cyber attack within the last year is Mexico with this shocking cyber security statistic. CyberEdge Group’s 2020 CDR report shows that the country ranked No. 1 with 93.9% of surveyed organizations indicating that their organizations sustained at least one successful attack.

                                                              117. Nearly 25% of Cyber Attacks in Mexico Result from External Media Devices

                                                              Different countries tend to show greater vulnerabilities to some attack vectors more than others. For Mexico, one in four attacks within the last year resulted from the use of external media devices such as USB sticks, Sophos reports in The Impossible Puzzle of Cybersecurity. This is why it’s important to train employees to only use company-provided devices and to enforce company computer use policies.

                                                              Middle East

                                                              118. One in Every 118 Emails in Saudi Arabia Is Malicious

                                                              Looks like Saudi Arabia leads the world in terms of the highest number of malicious emails, according to Broadcom’s 2019 ISTR. They are followed by Israel (1 in 122), Austria (1 in 128), and South Africa (1 in 131).  

                                                              119. 52.68% of Iranian Users Have Mobile Malware Infections

                                                              Mobile malware is a growing issue in many countries, various lists of cyber security statistics show. But Comparitech reports that they observed that more than half of the users who sustained cyber attacks in Q3 2019 had mobile malware infections.


                                                              120. 110,000 Daily Bot Infections in German IT Systems Reported

                                                              There were up to 100,000 daily bot infections affecting German IT systems reported to the BSI between June 1, 2018 and May 31, 2019, according to The State of IT Security in Germany in 2019 report and data from AV-Test Institute. The data is from Germany’s Federal Office for Information Security (Bundesamt fur Sicherheit in der Informationstechnik, or BSI for short). But the report indicates something even more disturbing:

                                                              “Over half of all attacks are now executed with compromised cloud servers or servers that are legitimately rented, but then misused. Accordingly, almost every cloud service provider has now been misused by criminals to execute DDoS attacks on at least one occasion.”

                                                              121. German Institute Registers 350,000+ New PAUs and Malware Daily

                                                              Here’s another dose of malware-related cyber security stats to make your day. As of May 4, the AV-TEST Institute reports that they register more than 350,000 new potentially unwanted applications (PAUs) and malicious software each day. Yes, they register that many new PAUs and malware every day.

                                                              122. Denmark Reports the Lowest Number of Users with Malware Infections (3.15%)

                                                              And, last but not least, our final item on this list of cyber security statistics. Based on seven specific criteria items, Denmark is ranked the world’s most cyber-secure country by Comparitech. Their numbers, based on Q3 2019 reported cyber attacks, moved them up from fourth place in Comparitech’s 2019 report. Compare this to the United Kingdom (7.69%), U.S. (9.075), and France (15.09%).

                                                              While there are many other compelling cyber security statistics out there, we simply can’t compile and write about all of them. There isn’t enough time and, frankly, “current” cybersecurity stats are always changing as new data comes to light. However, be sure to subscribe and follow our blog because many aspects of the statistics we’ve covered — and other stats that we haven’t yet touched upon — will be covered in future Hashed Out blog posts. Stay tuned.

                                                              Wrapping Up the 2020 List of Cyber Security Statistics

                                                              Yeah, that was a lot to take in. But we hope that this list of cyber stats provides you with a plethora of useful information about every aspect of cybersecurity.

                                                              Looking at the data here, it’s easy to see that cybercriminals represent an imminent threat to businesses, governments, and consumers alike. However, it also demonstrates that the biggest threats exist within our own organizations — and I’m not just talking about insider threats. No, I’m talking about:

                                                              • A lack of visibility in terms of network security and asset management.
                                                              • A lack of adequate cybersecurity defenses, personnel, or resources.
                                                              • A lack of cyber awareness among employees.
                                                              • A lack of cyber-related policies and business processes — or the enforcement of them.

                                                              Thankfully, there are things you can do to help protect your organization from many of these growing threats. Follow industry best practices, implement the use of defense technologies and resources from reputable vendors, and offer in-house or third-party cyber awareness training to decrease employee ignorance and apathy. Do you have other current cyber security statistics that you’d like to share with me and your fellow readers? I’d love to see them! Be sure to share them in the comments section below.

                                                              *** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: